Edraak Data Leak: Education Nonprofit Delayed Disclosure

Edraak Data Exposure: Student Information at Risk

A significant data security incident has come to light involving Edraak, a nonprofit organization dedicated to online education. Thousands of student records were inadvertently exposed due to the uploading of sensitive data to an unsecured cloud storage server.

Organization Overview

Established in 2013, Edraak was founded by Jordan’s Queen Rania and operates from Amman, the nation’s capital. Its core mission is to advance educational opportunities throughout the Arab world. The organization collaborates with prominent partners, including the British Council and edX – a collaborative initiative of Harvard, Stanford, and MIT universities.

Discovery of the Breach

In February, cybersecurity researchers from TurgenSec, a U.K.-based firm, identified an Edraak cloud storage server containing data pertaining to a substantial number of students. This data included spreadsheets detailing student names, email addresses, gender, year of birth, nationality, and, in some cases, academic grades.

Attempts to Notify Edraak

TurgenSec, operating the security incident disclosure site Breaches.UK, promptly notified Edraak regarding the security vulnerability. Despite initial acknowledgment of the email a week later, the exposed data remained accessible. Researchers subsequently attempted to reach additional personnel within the organization and its partners, such as the British Council, through LinkedIn requests.

Delayed Resolution

The vulnerable server remained open for two months. It was only after contact from TechCrunch, at Edraak’s request, that the servers were finally secured, just hours later.

Edraak’s Explanation

According to Edraak chief executive Sherif Halawa, the storage server was intended for public access, hosting public course materials like images, videos, and educational resources. He stated that student data was never intentionally stored in this location.

“An unfortunate configuration error led to the accidental placement of some academic data and student information exports within the server,” Halawa explained. He further confirmed that an initial scan failed to detect the misplaced data, attributing the information flagged by Breaches.UK to routine student uploads.

“We have now identified these misplaced reports and rectified the issue,” Halawa added.

Response from the British Council

The British Council spokesperson, Catherine Bowden, indicated that their organization received the initial notification from TurgenSec but mistakenly classified it as a phishing attempt.

Current Status and Notification of Affected Students

Edraak’s CEO Halawa confirmed that the organization has initiated the process of notifying affected students about the incident and published a related blog post on Thursday. The server is now inaccessible to the public.

Previous Incidents by TurgenSec

TurgenSec previously uncovered a similar security lapse involving Virgin Media, a U.K. internet provider. An unencrypted customer database was left online, exposing records linking some customers to adult websites.

Further Reading:

• U.S. charges California man over Shopify data breach
• MobiKwik investigating data breach after 100M user records found online
• FatFace tells customers to keep its data breach ‘strictly private’
• How Jamaica failed to handle its JamCOVID scandal
• Roll still doesn’t know how its hot wallet was hacked

For secure communication, send tips via Signal and WhatsApp to +1 646-755-8849. Files and documents can be submitted using our SecureDrop. Learn more about secure reporting.